CVE-2025-21714: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix implicit ODP use after free Prevent double queueing of implicit ODP mr destroy work by using __xa_cmpxchg() to make sure this is the only time we are destroying this specific mr. Without this change, we could try to invalidate this mr twice, which in turn could result in queuing a MR work destroy twice, and eventually the second work could execute after the MR was freed due to the first work, causing a user after free and trace below. refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 12178 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x130 Modules linked in: bonding ib_ipoib vfio_pci ip_gre geneve nf_tables ip6_gre gre ip6_tunnel tunnel6 ipip tunnel4 ib_umad rdma_ucm mlx5_vfio_pci vfio_pci_core vfio_iommu_type1 mlx5_ib vfio ib_uverbs mlx5_core iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs] CPU: 2 PID: 12178 Comm: kworker/u20:5 Not tainted 6.5.0-rc1_net_next_mlx5_58c644e #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: events_unbound free_implicit_child_mr_work [mlx5_ib] RIP: 0010:refcount_warn_saturate+0x12b/0x130 Code: 48 c7 c7 38 95 2a 82 c6 05 bc c6 fe 00 01 e8 0c 66 aa ff 0f 0b 5b c3 48 c7 c7 e0 94 2a 82 c6 05 a7 c6 fe 00 01 e8 f5 65 aa ff <0f> 0b 5b c3 90 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 13 8d 50 ff RSP: 0018:ffff8881008e3e40 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027 RDX: ffff88852c91b5c8 RSI: 0000000000000001 RDI: ffff88852c91b5c0 RBP: ffff8881dacd4e00 R08: 00000000ffffffff R09: 0000000000000019 R10: 000000000000072e R11: 0000000063666572 R12: ffff88812bfd9e00 R13: ffff8881c792d200 R14: ffff88810011c005 R15: ffff8881002099c0 FS: 0000000000000000(0000) GS:ffff88852c900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5694b5e000 CR3: 00000001153f6003 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? refcount_warn_saturate+0x12b/0x130 free_implicit_child_mr_work+0x180/0x1b0 [mlx5_ib] process_one_work+0x1cc/0x3c0 worker_thread+0x218/0x3c0 kthread+0xc6/0xf0 ret_from_fork+0x1f/0x30 </TASK>
AI Analysis
Technical Summary
CVE-2025-21714 is a high-severity vulnerability in the Linux kernel specifically affecting the RDMA (Remote Direct Memory Access) subsystem, particularly the mlx5 driver which supports Mellanox network adapters. The flaw is a use-after-free condition caused by improper handling of implicit On-Demand Paging (ODP) memory regions (MRs). The vulnerability arises from a race condition where the kernel attempts to destroy the same MR twice due to double queueing of the MR destroy work. This leads to a refcount underflow and use-after-free scenario, which can cause kernel memory corruption. The issue is triggered when the workqueue responsible for freeing implicit child MRs executes the second queued destroy operation after the MR has already been freed by the first operation. The kernel logs show warnings related to refcount saturation and tracebacks indicating the problem occurs in the mlx5_ib module. Exploiting this vulnerability could allow a local attacker with low privileges (PR:L) to execute arbitrary code in kernel context or cause a denial of service by crashing the system. The CVSS 3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. The vulnerability affects Linux kernel versions including the 6.5.0-rc1_net_next_mlx5_58c644e release and likely other versions containing the mlx5 driver with implicit ODP support. No known exploits are currently reported in the wild, but the vulnerability is critical enough to warrant prompt patching. This flaw falls under CWE-416 (Use After Free), a common and dangerous memory corruption issue in kernel code.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to those relying on Linux servers with Mellanox RDMA-capable network adapters, commonly used in high-performance computing, data centers, and cloud infrastructure. Exploitation could lead to privilege escalation, allowing attackers to gain kernel-level code execution, potentially compromising sensitive data and critical systems. The use-after-free can also cause system crashes, leading to denial of service and operational disruption. Given the widespread deployment of Linux in enterprise and government environments across Europe, the vulnerability could impact sectors including finance, telecommunications, research institutions, and critical infrastructure. The high impact on confidentiality, integrity, and availability means that attackers could exfiltrate data, alter system behavior, or disrupt services. The requirement for local privileges reduces the attack surface somewhat, but insider threats or compromised user accounts could leverage this flaw. The absence of known exploits currently provides a window for mitigation, but the vulnerability should be treated with urgency due to its potential severity.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address the double queueing and use-after-free in the mlx5 RDMA driver is essential. Organizations should monitor kernel updates from trusted sources and deploy them promptly. 2. If patching is not immediately feasible, consider disabling RDMA functionality or the mlx5 driver temporarily to mitigate exposure, especially on systems where RDMA is not critical. 3. Implement strict access controls and monitoring on systems with RDMA capabilities to limit local user privileges and detect suspicious activities that could indicate exploitation attempts. 4. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and use of security modules like SELinux or AppArmor to reduce exploitation risk. 5. Conduct thorough audits of user accounts and privilege assignments to minimize the chance of local attackers gaining the necessary privileges to exploit this vulnerability. 6. Maintain comprehensive logging and alerting on kernel warnings and crashes related to refcount issues or mlx5 modules to enable early detection of exploitation attempts. 7. Coordinate with hardware vendors and Linux distribution maintainers to ensure compatibility and timely updates of RDMA drivers and kernel versions.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-21714: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix implicit ODP use after free Prevent double queueing of implicit ODP mr destroy work by using __xa_cmpxchg() to make sure this is the only time we are destroying this specific mr. Without this change, we could try to invalidate this mr twice, which in turn could result in queuing a MR work destroy twice, and eventually the second work could execute after the MR was freed due to the first work, causing a user after free and trace below. refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 12178 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x130 Modules linked in: bonding ib_ipoib vfio_pci ip_gre geneve nf_tables ip6_gre gre ip6_tunnel tunnel6 ipip tunnel4 ib_umad rdma_ucm mlx5_vfio_pci vfio_pci_core vfio_iommu_type1 mlx5_ib vfio ib_uverbs mlx5_core iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs] CPU: 2 PID: 12178 Comm: kworker/u20:5 Not tainted 6.5.0-rc1_net_next_mlx5_58c644e #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: events_unbound free_implicit_child_mr_work [mlx5_ib] RIP: 0010:refcount_warn_saturate+0x12b/0x130 Code: 48 c7 c7 38 95 2a 82 c6 05 bc c6 fe 00 01 e8 0c 66 aa ff 0f 0b 5b c3 48 c7 c7 e0 94 2a 82 c6 05 a7 c6 fe 00 01 e8 f5 65 aa ff <0f> 0b 5b c3 90 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 13 8d 50 ff RSP: 0018:ffff8881008e3e40 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027 RDX: ffff88852c91b5c8 RSI: 0000000000000001 RDI: ffff88852c91b5c0 RBP: ffff8881dacd4e00 R08: 00000000ffffffff R09: 0000000000000019 R10: 000000000000072e R11: 0000000063666572 R12: ffff88812bfd9e00 R13: ffff8881c792d200 R14: ffff88810011c005 R15: ffff8881002099c0 FS: 0000000000000000(0000) GS:ffff88852c900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5694b5e000 CR3: 00000001153f6003 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? refcount_warn_saturate+0x12b/0x130 free_implicit_child_mr_work+0x180/0x1b0 [mlx5_ib] process_one_work+0x1cc/0x3c0 worker_thread+0x218/0x3c0 kthread+0xc6/0xf0 ret_from_fork+0x1f/0x30 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2025-21714 is a high-severity vulnerability in the Linux kernel specifically affecting the RDMA (Remote Direct Memory Access) subsystem, particularly the mlx5 driver which supports Mellanox network adapters. The flaw is a use-after-free condition caused by improper handling of implicit On-Demand Paging (ODP) memory regions (MRs). The vulnerability arises from a race condition where the kernel attempts to destroy the same MR twice due to double queueing of the MR destroy work. This leads to a refcount underflow and use-after-free scenario, which can cause kernel memory corruption. The issue is triggered when the workqueue responsible for freeing implicit child MRs executes the second queued destroy operation after the MR has already been freed by the first operation. The kernel logs show warnings related to refcount saturation and tracebacks indicating the problem occurs in the mlx5_ib module. Exploiting this vulnerability could allow a local attacker with low privileges (PR:L) to execute arbitrary code in kernel context or cause a denial of service by crashing the system. The CVSS 3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. The vulnerability affects Linux kernel versions including the 6.5.0-rc1_net_next_mlx5_58c644e release and likely other versions containing the mlx5 driver with implicit ODP support. No known exploits are currently reported in the wild, but the vulnerability is critical enough to warrant prompt patching. This flaw falls under CWE-416 (Use After Free), a common and dangerous memory corruption issue in kernel code.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially to those relying on Linux servers with Mellanox RDMA-capable network adapters, commonly used in high-performance computing, data centers, and cloud infrastructure. Exploitation could lead to privilege escalation, allowing attackers to gain kernel-level code execution, potentially compromising sensitive data and critical systems. The use-after-free can also cause system crashes, leading to denial of service and operational disruption. Given the widespread deployment of Linux in enterprise and government environments across Europe, the vulnerability could impact sectors including finance, telecommunications, research institutions, and critical infrastructure. The high impact on confidentiality, integrity, and availability means that attackers could exfiltrate data, alter system behavior, or disrupt services. The requirement for local privileges reduces the attack surface somewhat, but insider threats or compromised user accounts could leverage this flaw. The absence of known exploits currently provides a window for mitigation, but the vulnerability should be treated with urgency due to its potential severity.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that address the double queueing and use-after-free in the mlx5 RDMA driver is essential. Organizations should monitor kernel updates from trusted sources and deploy them promptly. 2. If patching is not immediately feasible, consider disabling RDMA functionality or the mlx5 driver temporarily to mitigate exposure, especially on systems where RDMA is not critical. 3. Implement strict access controls and monitoring on systems with RDMA capabilities to limit local user privileges and detect suspicious activities that could indicate exploitation attempts. 4. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and use of security modules like SELinux or AppArmor to reduce exploitation risk. 5. Conduct thorough audits of user accounts and privilege assignments to minimize the chance of local attackers gaining the necessary privileges to exploit this vulnerability. 6. Maintain comprehensive logging and alerting on kernel warnings and crashes related to refcount issues or mlx5 modules to enable early detection of exploitation attempts. 7. Coordinate with hardware vendors and Linux distribution maintainers to ensure compatibility and timely updates of RDMA drivers and kernel versions.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.752Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8599
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 4:26:01 AM
Last updated: 7/29/2025, 8:59:31 PM
Views: 10
Related Threats
CVE-2025-9028: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-26709: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ZTE F50
MediumCVE-2025-9027: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-9026: OS Command Injection in D-Link DIR-860L
MediumCVE-2025-9025: SQL Injection in code-projects Simple Cafe Ordering System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.